Date: Wednesday, September 21, 2022 @ 15:30:18 Author: mtorromeo Revision: 1306031
upgpkg: nginx-mod-naxsi 1.3-7: Fixes FS#75955 Added: nginx-mod-naxsi/trunk/pcre2.patch Modified: nginx-mod-naxsi/trunk/PKGBUILD Deleted: nginx-mod-naxsi/trunk/587-pcre2.patch -----------------+ 587-pcre2.patch | 268 ------------------------------------------------------ PKGBUILD | 28 ++--- pcre2.patch | 182 ++++++++++++++++++++++++++++++++++++ 3 files changed, 195 insertions(+), 283 deletions(-) Deleted: 587-pcre2.patch =================================================================== --- 587-pcre2.patch 2022-09-21 15:30:13 UTC (rev 1306030) +++ 587-pcre2.patch 2022-09-21 15:30:18 UTC (rev 1306031) @@ -1,268 +0,0 @@ -From 5046ff477cf4216950ad6bb5a84869700578534b Mon Sep 17 00:00:00 2001 -From: laluigino <[email protected]> -Date: Fri, 11 Feb 2022 13:21:22 +0100 -Subject: [PATCH 1/3] Fix: use pcre2 when building with nginx >= 1.21.5 - -I've tried to compile naxsi 1.3 as module for nginx 1.21.6, and got the error: - -error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'} - 205 | (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code, - -I found this issue report: Ref: https://github.com/nbs-system/naxsi/issues/580 -then i tried to solve the pcre2 compatibility issue. - -I've included an helper function that is 'copied' from: https://github.com/nginx/nginx/blob/master/src/core/ngx_regex.c#L393 -that it is called in place of 'pcre_exec' when nginx_version >= 1021005 - -Not sure if this is the best solution, but I managed to build naxsi 1.3 as module for nginx 1.21.6 succesfully, and it seems to work well. - -I'm not used to develop in C anymore (since 25 years ago, at least!), but I hope that this patch I made can help anybody else. ---- - naxsi_src/naxsi_runtime.c | 80 ++++++++++++++++++++++++++++++++++++++- - 1 file changed, 78 insertions(+), 2 deletions(-) - -diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c -index b63da5b9..f7961be8 100644 ---- a/naxsi_src/naxsi_runtime.c -+++ b/naxsi_src/naxsi_runtime.c -@@ -181,6 +181,73 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx, - unsigned char* - ngx_utf8_check(ngx_str_t* str); - -+/* -+ * variables to use pcre2 -+ */ -+static pcre2_match_data *ngx_pcre2_match_data; -+static ngx_uint_t ngx_pcre2_match_data_size; -+ -+/* -+ * helper function to use pcre2 -+ */ -+ngx_int_t -+ngx_pcre2_exec(ngx_regex_t *re, unsigned char* str, unsigned int len, ngx_int_t tmp_idx, int *captures, ngx_uint_t size) -+{ -+ size_t *ov; -+ ngx_int_t rc; -+ ngx_uint_t n, i; -+ -+ /* -+ * The pcre2_match() function might allocate memory for backtracking -+ * frames, typical allocations are from 40k and above. So the allocator -+ * is configured to do direct allocations from heap during matching. -+ */ -+ -+ if (ngx_pcre2_match_data == NULL -+ || size > ngx_pcre2_match_data_size) -+ { -+ /* -+ * Allocate a match data if not yet allocated or smaller than -+ * needed. -+ */ -+ -+ if (ngx_pcre2_match_data) { -+ pcre2_match_data_free(ngx_pcre2_match_data); -+ } -+ -+ ngx_pcre2_match_data_size = size; -+ ngx_pcre2_match_data = pcre2_match_data_create(size / 3, NULL); -+ -+ if (ngx_pcre2_match_data == NULL) { -+ rc = PCRE2_ERROR_NOMEMORY; -+ goto failed; -+ } -+ } -+ -+ rc = pcre2_match(re, str, len, tmp_idx, 0, ngx_pcre2_match_data, NULL); -+ -+ if (rc < 0) { -+ goto failed; -+ } -+ -+ n = pcre2_get_ovector_count(ngx_pcre2_match_data); -+ ov = pcre2_get_ovector_pointer(ngx_pcre2_match_data); -+ -+ if (n > size / 3) { -+ n = size / 3; -+ } -+ -+ for (i = 0; i < n; i++) { -+ captures[i * 2] = ov[i * 2]; -+ captures[i * 2 + 1] = ov[i * 2 + 1]; -+ } -+ -+failed: -+ -+ return rc; -+ -+} -+ - /* - ** in : string to inspect, associated rule - ** does : apply the rule on the string, return 1 if matched, -@@ -201,7 +268,14 @@ ngx_http_process_basic_rule_buffer(ngx_str_t* str, ngx_http_rule_t* rl, ngx_int_ - tmp_idx = 0; - len = str->len; - while --#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) -+#if defined nginx_version && (nginx_version >= 1021005) -+ (tmp_idx < len && (match = ngx_pcre2_exec(rl->br->rx->regex, -+ str->data, -+ str->len, -+ tmp_idx, -+ captures, -+ 30)) >= 0) -+#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) - (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code, - 0, - (const char*)str->data, -@@ -496,7 +570,9 @@ ngx_http_naxsi_pcre_wrapper(ngx_regex_compile_t* rx, unsigned char* str, unsigne - int match; - int captures[30]; - --#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) -+#if defined nginx_version && (nginx_version >= 1021005) -+ match = ngx_pcre2_exec(rx->regex, str, len, 0, captures, 1); -+#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) - match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1); - #elif defined nginx_version && (nginx_version > 1001011) - match = pcre_exec(rx->regex->pcre, 0, (const char*)str, len, 0, 0, captures, 1); - -From 61466698c4afb6d52cd0c8bee3309ac5e5ee53ab Mon Sep 17 00:00:00 2001 -From: laluigino <[email protected]> -Date: Fri, 11 Feb 2022 18:30:30 +0100 -Subject: [PATCH 2/3] Added a check for nginx_version >= 1021005 - -Added a check for nginx_version >= 1021005 to avoid helper function definition on older versions ---- - naxsi_src/naxsi_runtime.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c -index f7961be8..c2956375 100644 ---- a/naxsi_src/naxsi_runtime.c -+++ b/naxsi_src/naxsi_runtime.c -@@ -181,6 +181,7 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx, - unsigned char* - ngx_utf8_check(ngx_str_t* str); - -+#if defined nginx_version && (nginx_version >= 1021005) - /* - * variables to use pcre2 - */ -@@ -247,6 +248,7 @@ ngx_pcre2_exec(ngx_regex_t *re, unsigned char* str, unsigned int len, ngx_int_t - return rc; - - } -+#endif - - /* - ** in : string to inspect, associated rule - -From 545c8953f95ffce368f219b932039eb0a0daf1c0 Mon Sep 17 00:00:00 2001 -From: Danila Vershinin <[email protected]> -Date: Tue, 22 Feb 2022 12:32:10 +0300 -Subject: [PATCH 3/3] Use NGX_PCRE2 conditional - -Update naxsi.h - -Don't include pcre.h in order for compilation to work both against pcre and pcre2 - -Fix pcre vs pcre2 compilation ---- - naxsi_src/naxsi.h | 1 - - naxsi_src/naxsi_config.c | 9 ++++++++- - naxsi_src/naxsi_runtime.c | 4 ++-- - naxsi_src/naxsi_utils.c | 8 ++++++++ - 4 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/naxsi_src/naxsi.h b/naxsi_src/naxsi.h -index 53df1bd8..b2f5c1a5 100644 ---- a/naxsi_src/naxsi.h -+++ b/naxsi_src/naxsi.h -@@ -19,7 +19,6 @@ - #include <ngx_http.h> - #include <ngx_http_core_module.h> - #include <ngx_md5.h> --#include <pcre.h> - - extern ngx_module_t ngx_http_naxsi_module; - -diff --git a/naxsi_src/naxsi_config.c b/naxsi_src/naxsi_config.c -index 4ea15567..6d2f0e23 100644 ---- a/naxsi_src/naxsi_config.c -+++ b/naxsi_src/naxsi_config.c -@@ -322,8 +322,11 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) - - custom_rule->target_rx = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); - return_value_if(!custom_rule->target_rx, NGX_CONF_ERROR); -- -+#if (NGX_PCRE2) -+ custom_rule->target_rx->options = PCRE2_CASELESS | PCRE2_MULTILINE; -+#else - custom_rule->target_rx->options = PCRE_CASELESS | PCRE_MULTILINE; -+#endif - custom_rule->target_rx->pattern = custom_rule->target; - custom_rule->target_rx->pool = r->pool; - custom_rule->target_rx->err.len = 0; -@@ -442,7 +445,11 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) - ha.len = tmp->len - strlen(RX_T); - rgc = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); - return_value_if(!rgc, NGX_CONF_ERROR); -+#if (NGX_PCRE2) -+ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; -+#else - rgc->options = PCRE_CASELESS | PCRE_MULTILINE; -+#endif - rgc->pattern = ha; - rgc->pool = r->pool; - rgc->err.len = 0; -diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c -index c2956375..33c20e27 100644 ---- a/naxsi_src/naxsi_runtime.c -+++ b/naxsi_src/naxsi_runtime.c -@@ -270,7 +270,7 @@ ngx_http_process_basic_rule_buffer(ngx_str_t* str, ngx_http_rule_t* rl, ngx_int_ - tmp_idx = 0; - len = str->len; - while --#if defined nginx_version && (nginx_version >= 1021005) -+#if (NGX_PCRE2) - (tmp_idx < len && (match = ngx_pcre2_exec(rl->br->rx->regex, - str->data, - str->len, -@@ -572,7 +572,7 @@ ngx_http_naxsi_pcre_wrapper(ngx_regex_compile_t* rx, unsigned char* str, unsigne - int match; - int captures[30]; - --#if defined nginx_version && (nginx_version >= 1021005) -+#if (NGX_PCRE2) - match = ngx_pcre2_exec(rx->regex, str, len, 0, captures, 1); - #elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) - match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1); -diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c -index e3d6f185..d2ecedec 100644 ---- a/naxsi_src/naxsi_utils.c -+++ b/naxsi_src/naxsi_utils.c -@@ -800,7 +800,11 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c - ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); - rgc = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target_rx; - if (rgc) { -+#if (NGX_PCRE2) -+ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; -+#else - rgc->options = PCRE_CASELESS | PCRE_MULTILINE; -+#endif - rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target; - rgc->pool = cf->pool; - rgc->err.len = 0; -@@ -816,7 +820,11 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c - ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); - rgc = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target_rx; - if (rgc) { -+#if (NGX_PCRE2) -+ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; -+#else - rgc->options = PCRE_CASELESS | PCRE_MULTILINE; -+#endif - rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target; - rgc->pool = cf->pool; - rgc->err.len = 0; Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-09-21 15:30:13 UTC (rev 1306030) +++ PKGBUILD 2022-09-21 15:30:18 UTC (rev 1306031) @@ -2,7 +2,7 @@ pkgname=nginx-mod-naxsi pkgver=1.3 -pkgrel=6 +pkgrel=7 _modname=naxsi pkgdesc='Nginx Anti XSS & SQL Injection' arch=('x86_64') @@ -11,36 +11,34 @@ url="https://github.com/nbs-system/naxsi"; license=('GPL3') backup=('etc/nginx/naxsi_core.rules') -source=( - https://github.com/nbs-system/$_modname/archive/$pkgver/$_modname-$pkgver.tar.gz - 587-pcre2.patch -) +source=(https://github.com/nbs-system/$_modname/archive/$pkgver/$_modname-$pkgver.tar.gz + pcre2.patch) validpgpkeys=(B0F4253373F8F6F510D42178520A9993A1C052F8) # Maxim Dounin <[email protected]> sha256sums=('439c8677372d2597b4360bbcc10bc86490de1fc75695b193ad5df154a214d628' - 'e99f3c96e53599c0c7d1a124f422d6a878be1c571b1c29d1e9f72edd34eabe01') + 'd02832f606488f72a3e1dfd1381f157dffcbed44e67563b4c0086d2d806425ef') prepare() { - mkdir -p $srcdir/build - cd $srcdir/build - + mkdir -p "$srcdir"/build + cd "$srcdir"/build + ln -sf /usr/src/nginx/auto ln -sf /usr/src/nginx/src - # pcre2 patch - cd $srcdir/$_modname-$pkgver - patch -Np1 < $srcdir/587-pcre2.patch + # pcre2 patch + cd "$srcdir"/$_modname-$pkgver + patch -Np1 < ../pcre2.patch } build() { - cd $srcdir/build + cd "$srcdir"/build /usr/src/nginx/configure --with-compat --add-dynamic-module=../$_modname-$pkgver/naxsi_src make modules } package() { - cd $srcdir/build/objs + cd "$srcdir"/build/objs for mod in *.so; do - install -Dm755 $mod "$pkgdir"/usr/lib/nginx/modules/$mod + install -Dm755 "$mod" "$pkgdir/usr/lib/nginx/modules/$mod" done cd "$srcdir"/$_modname-$pkgver Added: pcre2.patch =================================================================== --- pcre2.patch (rev 0) +++ pcre2.patch 2022-09-21 15:30:18 UTC (rev 1306031) @@ -0,0 +1,182 @@ +diff --git a/naxsi_src/naxsi.h b/naxsi_src/naxsi.h +index 0f61d95..d7ce716 100644 +--- a/naxsi_src/naxsi.h ++++ b/naxsi_src/naxsi.h +@@ -19,7 +19,6 @@ + #include <ngx_http.h> + #include <ngx_http_core_module.h> + #include <ngx_md5.h> +-#include <pcre.h> + + extern ngx_module_t ngx_http_naxsi_module; + +@@ -497,6 +496,17 @@ typedef struct ngx_http_nx_json_s + #define LIBINJ_SQL_T "d:libinj_sql" + #define NEGATIVE_T "negative" + ++#if defined nginx_version && (nginx_version >= 1021005) ++// after 1.21.5 NGX_REGEX_MULTILINE is present. ++#define NAXSI_REGEX_OPTIONS (NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE) ++#else ++#if (NGX_PCRE2) ++#define NAXSI_REGEX_OPTIONS (PCRE2_CASELESS | PCRE2_MULTILINE) ++#else ++#define NAXSI_REGEX_OPTIONS (PCRE_CASELESS | PCRE_MULTILINE) ++#endif ++#endif ++ + /* + ** name of hardcoded variables to + ** change behavior of naxsi at runtime +diff --git a/naxsi_src/naxsi_config.c b/naxsi_src/naxsi_config.c +index 4ea1556..4b5b3cd 100644 +--- a/naxsi_src/naxsi_config.c ++++ b/naxsi_src/naxsi_config.c +@@ -323,7 +323,7 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) + custom_rule->target_rx = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); + return_value_if(!custom_rule->target_rx, NGX_CONF_ERROR); + +- custom_rule->target_rx->options = PCRE_CASELESS | PCRE_MULTILINE; ++ custom_rule->target_rx->options = NAXSI_REGEX_OPTIONS; + custom_rule->target_rx->pattern = custom_rule->target; + custom_rule->target_rx->pool = r->pool; + custom_rule->target_rx->err.len = 0; +@@ -442,7 +442,8 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) + ha.len = tmp->len - strlen(RX_T); + rgc = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); + return_value_if(!rgc, NGX_CONF_ERROR); +- rgc->options = PCRE_CASELESS | PCRE_MULTILINE; ++ ++ rgc->options = NAXSI_REGEX_OPTIONS; + rgc->pattern = ha; + rgc->pool = r->pool; + rgc->err.len = 0; +diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c +index eccdce3..eff5390 100644 +--- a/naxsi_src/naxsi_runtime.c ++++ b/naxsi_src/naxsi_runtime.c +@@ -181,6 +181,75 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx, + unsigned char* + ngx_utf8_check(ngx_str_t* str); + ++#if defined nginx_version && (nginx_version >= 1021005) ++/* ++ * variables to use pcre2 ++ */ ++static pcre2_match_data *ngx_pcre2_match_data; ++static ngx_uint_t ngx_pcre2_match_data_size; ++ ++/* ++ * helper function to use pcre2 ++ */ ++ngx_int_t ++ngx_pcre2_exec(ngx_regex_t *re, unsigned char* str, unsigned int len, ngx_int_t tmp_idx, int *captures, ngx_uint_t size) ++{ ++ size_t *ov; ++ ngx_int_t rc; ++ ngx_uint_t n, i; ++ ++ /* ++ * The pcre2_match() function might allocate memory for backtracking ++ * frames, typical allocations are from 40k and above. So the allocator ++ * is configured to do direct allocations from heap during matching. ++ */ ++ ++ if (ngx_pcre2_match_data == NULL ++ || size > ngx_pcre2_match_data_size) ++ { ++ /* ++ * Allocate a match data if not yet allocated or smaller than ++ * needed. ++ */ ++ ++ if (ngx_pcre2_match_data) { ++ pcre2_match_data_free(ngx_pcre2_match_data); ++ } ++ ++ ngx_pcre2_match_data_size = size; ++ ngx_pcre2_match_data = pcre2_match_data_create(size / 3, NULL); ++ ++ if (ngx_pcre2_match_data == NULL) { ++ rc = PCRE2_ERROR_NOMEMORY; ++ goto failed; ++ } ++ } ++ ++ rc = pcre2_match(re, str, len, tmp_idx, 0, ngx_pcre2_match_data, NULL); ++ ++ if (rc < 0) { ++ goto failed; ++ } ++ ++ n = pcre2_get_ovector_count(ngx_pcre2_match_data); ++ ov = pcre2_get_ovector_pointer(ngx_pcre2_match_data); ++ ++ if (n > size / 3) { ++ n = size / 3; ++ } ++ ++ for (i = 0; i < n; i++) { ++ captures[i * 2] = ov[i * 2]; ++ captures[i * 2 + 1] = ov[i * 2 + 1]; ++ } ++ ++failed: ++ ++ return rc; ++ ++} ++#endif ++ + /* + ** in : string to inspect, associated rule + ** does : apply the rule on the string, return 1 if matched, +@@ -201,7 +270,14 @@ ngx_http_process_basic_rule_buffer(ngx_str_t* str, ngx_http_rule_t* rl, ngx_int_ + tmp_idx = 0; + len = str->len; + while +-#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) ++#if (NGX_PCRE2) ++ (tmp_idx < len && (match = ngx_pcre2_exec(rl->br->rx->regex, ++ str->data, ++ str->len, ++ tmp_idx, ++ captures, ++ 30)) >= 0) ++#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) + (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code, + 0, + (const char*)str->data, +@@ -496,7 +572,9 @@ ngx_http_naxsi_pcre_wrapper(ngx_regex_compile_t* rx, unsigned char* str, unsigne + int match; + int captures[30]; + +-#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) ++#if (NGX_PCRE2) ++ match = ngx_pcre2_exec(rx->regex, str, len, 0, captures, 1); ++#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000) + match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1); + #elif defined nginx_version && (nginx_version > 1001011) + match = pcre_exec(rx->regex->pcre, 0, (const char*)str, len, 0, 0, captures, 1); +diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c +index 445c487..d357617 100644 +--- a/naxsi_src/naxsi_utils.c ++++ b/naxsi_src/naxsi_utils.c +@@ -800,7 +800,7 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c + ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); + rgc = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target_rx; + if (rgc) { +- rgc->options = PCRE_CASELESS | PCRE_MULTILINE; ++ rgc->options = NAXSI_REGEX_OPTIONS; + rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target; + rgc->pool = cf->pool; + rgc->err.len = 0; +@@ -816,7 +816,7 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c + ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); + rgc = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target_rx; + if (rgc) { +- rgc->options = PCRE_CASELESS | PCRE_MULTILINE; ++ rgc->options = NAXSI_REGEX_OPTIONS; + rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target; + rgc->pool = cf->pool; + rgc->err.len = 0;
